Severity scale:  

TrickBot virus. How to remove? (Uninstall guide)

removal by Julie Splinters - - | Type: Trojans

TrickBot – a deceptive banking trojan widely used by cybercriminals

TrickBot virus
TrickBot - the infamous financial trojan that used by many cybercriminals' groups

Questions about TrickBot virus

TrickBot is a financial Trojan first discovered in 2016, and targeted customers of leading banks in UK, US, Australia, and other countries. The virus is well-known for its ability  to mimic online banking windows and steal personal information, such as log-in names and passwords. Analysts claim that this malicious program was invented and released to the cyberspace after noticing a significant success of Dyre trojan[1]. While in June 2017, it was actively performing attacks on CRMs and Payment Processors, now Trick bot has employed a new malspam campaign for distribution[2]

Name TrickBot
Type Banking Trojan
Distribution Malspam, botnets
Symptoms Increased CPU usage, slow device performance, etc. However, trojans rarely exhibit any symptoms
Functionality Hijacks browsers and displays fake version of online banking websites, stealing sensitive banking information
Danger level High. Can lead to identity fraud or stolen money
Programming language C++
First appearance Mid-2016
Detection and elimination Use Reimage, Malwarebytes or Plumbytes Anti-MalwareNorton Internet Security

 Analysis revealed that this banking Trojan employs similar encryption techniques and hijack strategies as Dyre (alternatively known as Dyreza). Malware can bypass some security applications and infiltrates the system when users click on the malicious link or downloads a fake program. This can make TrickBot removal quite difficult.

After the invasion, TrickBot injects its malicious scripts and codes into banking websites. In other words, the cyber threat switches the original version of the site with its malignant substitute. In order to enforce this technique, C encryption language is used. In this regard, the newly detected Trick Bot malware also uses the improved version of the algorithm – C++.

What is more, the technique is supplemented with Microsoft CryptoAPI algorithm unlike AES and SHA256, previously employed by Dyre. Unlike the previous version of the virus, Trojan.TrickBot executes COM and TaskScheduler commands to maintain the computer under control.

The first campaigns were targeted Australian banks only. However, on April 2017 TrickBot Trojan has been spotted attacking banks in The United States, Canada, United Kingdom, Ireland, Germany, France, Switzerland and New Zealand.[3]

Nevertheless, the Trojan mostly targets banks; other users might encounter it as well. In case of the attack, you need to run a full system scan with reputable malware removal program, such as Reimage. It will help to remove TrickBot from the system entirely.

Fake Lloyd's bank emails help to distribute Trick Bot

Experts have recently spotted a new way which was employed to distribute TrickBot trojan. The malware was spreading inside the email letters from fake Lloyds Bank[4]. It was disguised as an attachment holding confidential account documents. Note that official Lloyds Bank is not related to this malspam campaign in any way, except that its name was used for malevolent purposes.

Victims report receiving an email from <> on December 6, 2017 which contained Protected32.doc attachments. Obviously, the letter was designed to look extremely genuine and convinced may people to believe its legitimacy. 

The email briefly explained the recipients that it is an automatically sent message which does not require a reply. It simply encouraged the gullible people to check the attachment and included the following instructions:

To unlock/view your documents, follow the instructions below.

1. Look for an attachment (Protected.doc) ( typically at the top or bottom; location varies by email service).
2. Your Authorization code is: 430SJAOPS982XXS.
3. Enter the authorization code when prompted.

Remember, that you should not open any email attachments which look suspicious or unrelated to you. We want to remind you about the previous techniques which hackers used to spread TrickBot malware. The hackers have tried to employ similar malspam campaign in June 2017 which was almost identical to the one spreading Jaff ransomware.

Cybercriminals used social engineering techniques to trick users into opening a malicious email attachment. They included an obfuscated PDF file that opens a Word document. This file asked to enable macro command in order to see the content. Clicking “Enable Macros” button executes Trojan on the system. New victims of TrickBot were banks in India, Singapore, Netherlands, and Bulgaria. [5]

However, financial institutions were not the only ones who had suffer from TrickBot Trojan. Now it also targets two Customer Relationship Manager (CRM) SaaS providers and PayPal users. On May security researchers discovered two malware distribution campaigns that targeted 210 URLs and 251 URLs.

Latest TrickBot's appearences

TrickBot's update came in March 2018, when hackers improved the code by making its detection and defense more complicated. It has also been utilized to provide screen-locking capabilities, working similarly to ransomware. However, it seems that this aspect of the virus is not fully developed yet, as the module that is meant to encrypt files does not accomplish its goal.

TrickBot banking trojan
Cybercriminals collaborate to create persistent and even more dangerous malware

In May same year, security researchers[6] noted a collaboration of two viruses – TrickBot and IcedID. While most Trojans would usually remove previously installed malware, authors of these malicious threats decided to work together and share profits. Apparently, computers infected with IcedID were also injected with TrickBot, making the operation of malware much more efficient.

The latest appearance of the TrickBot virus was spotted in June 2018.[7] This time, malware targeted UK citizens, sending spoofing HM Revenue & Customs emails, which claimed that there is an outstanding amount of money that victims need to pay back. Users were then prompted to click on a malicious link or on the attachment, which delivered TrickBot.  

Trojan spreads via phishing emails

Experts have detected that phishing emails are still the primary distribution method used by hackers to infiltrate TrickBo[8]. They might disguise under genuine looking PDF or DOC documents and contain Invoice or Private Details subject line. People are easily tricked to open the malicious attachments since criminals imitate well-known companies.

Malware also aims at PayPal users. Thus, if you receive an email from PayPal about suspicious activities in your account or reporting about other problems, you should login to their website directly instead of clicking provided links or attached documents.

The crooks develop different techniques to access personal information. Thus, such emails are usually very convincing. Do not fall into their trap even if they ask you to review suspicious invoice documents or tax reports.

TrickBot financial trojan
Trick Bot is mainly distributed using cleverly engineered phishing emails

Furthermore, the Trojan can attach itself to a free application. So you should give it a second thought before installing even a new media player.

The latter often happens to be the carrier of more malicious cyber threats. By exercising additional caution, you will reduce the probability of TrickBot hijack.

Terminate TrickBot virus using trusted security software

The only way to clean your system from Trojan horse is to employ a reliable security software for TrickBot removal. This malicious program has the ability to imitate legitimate computer processes or files.

Therefore, trying to find and eliminate all malware-related files from the computer is a difficult and complicated task that might lead to irreparable damage to the system.

We highly recommend installing Reimage, Malwarebytes or Plumbytes Anti-MalwareNorton Internet Security and run a full system scan with the help of one of these security programs.

Lastly, we want to remind that you have to remove TrickBot immediately because this data stealing trojan might lead to money loss and other serious privacy-related issues.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.

If you decided to select another anti-spyware, uninstall Reimage from your computer.
Press mentions on Reimage
Alternate Software
Alternate Software

To remove TrickBot virus, follow these steps:

Remove TrickBot using Safe Mode with Networking

If TrickBot does not let you to operate the anti-virus program properly, enter Safe Mode with Networking:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove TrickBot

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete TrickBot removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove TrickBot using System Restore

Another way to get rid of the virus is by using System Restore function:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of TrickBot. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that TrickBot removal is performed successfully.

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions


Removal guides in other languages